Cons

Bottom Line

Despite the "Premium" in its name, the excellent LogMeOnce Password Management Suite Premium is totally free, and it offers a ton of features not usually found in free password managers.

May 16, 2018

Passwords are terrible. We all hate them. But we're stuck with them until something better comes along. Still, it seems like adding insult to injury when the first thing a password manager does is ask you to create and remember...a master password! The developers at LogMeOnce feel your pain. If you have a smartphone or mobile device available, LogMeOnce Password Management Suite Premium is perfectly happy without a master password. Just be sure to keep that smartphone extremely well secured. This free password manager rivals LastPass in its broad feature set, and offers more features than most of its for-pay competitors.

Like LastPass, LogMeOnce is totally free, with no limit on the number of saved passwords or on the number of devices you use. It does display ads on its login page and some other pages. Certain advanced features aren't available in the free edition; gaining access to those requires that you purchase LogMeOnce Password Management Suite Ultimate. Other features have limits not found in the paid edition. Still other features are extra cost add-ons even if you purchased the Ultimate edition. Still, this free password manager is more feature-rich than its competitors.

Speaking of those competitors, LogMeOnce can import passwords from LastPass, Dashlane, Roboform, and more than a dozen others. If you're looking to switch to a new password manager, importing from your old one certainly makes it easy. And LogMeOnce includes detailed instructions for each supported import source. LogMeOnce can also import passwords stored in Chrome, Firefox, Internet Explorer, and Safari. KeePass is the import king, with the ability to import password data from more than 40 competitors.

New Dashboard

Since my last review, LogMeOnce's user interface has completely changed, a total makeover. The main dashboard is mostly whitespace, with the big message "Think Differently." To the right is a circle of icons; you can put your own photo in the middle. The circle features these icons: Password Manager, Mugshot, Password SHOCK, Productivity Charts, Two-Factor Authentication, Secure Notes, Secure Wallet, and Anti-Theft.

I'm not sure I see the point in using only a third of the available space for that circle of icons. I'm also disappointed that narrowing the window simply caused the entire display to shrink proportionally in my testing. But overall, it's much more clean and elegant than the interface in the previous version.

Those eight icons orbiting your photo represent just a few of the huge selection of available features. Many more features are available from the Smart Menu, organized into Productivity, Security, Reports, and General. You can launch any of the almost two dozen features directly from the Smart Menu. Those using the paid edition can remove any unwanted icons from the dashboard and replace them with features from the smart menu. Paying customers also get a Smart Menu without the third-party advertising banner found in this edition.

Passwordless Authentication

You begin the process of signing up for a LogMeOnce account by entering your first name, last name, and email address. You also choose a security question and answer. Here, as always, it's extremely important to pick something that nobody could figure out by Googling you or eyeing your social media. Rather than accept one of the predefined questions, add a unique question that has meaning to you, and only you.

Now comes the big choice. You can choose to create a passwordless account, or one that uses a master password. For testing, I started with the default passwordless account, and installed the necessary browser plugin. The account creation wizard sent a text to my iPhone with a link to install the LogMeOnce app. Once I entered my email address in the app, the Web page displayed a QR code for pairing. To finish off the process, I defined a six-digit PIN.

The free Myki Password Manager & Authenticator offers a similar style of passwordless login, but with Myki your passwords reside on your phone, not in the cloud. You need a PIN or fingerprint to log in to Myki, but there's not even an option to use a master password. This might sound a bit risky, but it's actually a form of two-factor authentication. Logging in requires that you both have the smartphone and either know the PIN or authenticate with your fingerprint.

You can use LogMeOnce on any computer, but you do have to install the browser extension first. Once you've done that, LogMeOnce sends an authentication request to your smartphone. If the phone supports it, you can log in with a fingerprint. If not, that six-digit PIN does the job. Bear in mind that a hacker couldn't do anything with the PIN alone. Authentication requires knowing the PIN and having possession of the smartphone.

Note that because LogMeOnce's desktop version is a browser extension, it's only enabled for the browser where you installed it. If you try to log in from a different browser, LogMeOnce prompts you to install that browser's extension. Because LogMeOnce is totally browser-based, it's not limited to a specific platform. It works just the same on Windows and macOS devices. You can even use it under Linux (something I haven't tried). It's also available in the app store for both Android and iOS devices.

New Onboarding Process

If you've never used a password manager before, the first steps can be a bit daunting. LogMeOnce now includes a thorough training for new users. It's a significant investment of time, so don't start it unless you're ready to go all the way, learning the ropes and making configuration choices.

During the process, you'll choose whether to use LogMeOnce as nothing but a password manager, or to enable its ancillary features (you can change your mind later). Some pages overlay informative text on the program's screens, showing what each icon does. You'll import passwords from your browsers, and optionally from a supported import source.

The onboarding process also walks you through setting up features that just aren't available in the free edition. These include Scheduled Login, Account Freeze, and Password SHOCK. I skipped these.

The next phase of onboarding, called Test Drive, walks you through manually creating a password entry and adding a group, a secure note, and a credit card. Finally, you can earn free secure storage by paging through what the program calls trivia. These are screens calling attention to the program's unusual features.

Like many things about LogMeOnce, this process felt over-enthusiastic. For example, one of the trivia pages illustrated the difference between LogMeOnce and every other password manager with a picture of a shelf full of features for LogMeOnce, and a near-empty shelf with nothing but password management for the rest. A chart on the product's web page similarly displays a vast list of features, claiming only LogMeOnce has them. The question is, whether you want or need all these features.

PhotoLogin and Other Mobile Choices

There's also an unusual authentication option called PhotoLogin. When logging in on the smartphone itself, this feature simply snaps a photo of whatever is in front of the phone. If the photo matches what you expected to see, you tap to log in. I find this a bit mystifying. The phone is in my hand. How would the photo fail to match what I just snapped?

The real value of this feature comes when you authenticate your login from the browser-based version. Then it's similar to the tap-to-authenticate feature used by Keeper and others, though they use the mobile-based authentication as a second factor, in addition to the master password.

Alas, using this feature to authenticate your login from the browser-based version is a premium-only feature. Indeed, when I tried, it simply showed a generic image. However, when I entered the PIN, it still unlocked my account in the browser.

While PhotoLogin seems akin to facial recognition, it really isn't. You, the user, verify that the picture you are seeing is what you just snapped. In my previous evaluation I noted that someone who picks up your unlocked phone can tap to verify, and thereby get full access to your passwords. In the current edition, you can't turn off PIN validation, which is certainly safer. Even so, if someone gets hold of your unlocked phone, the only protection for your passwords is that six-digit PIN, which is vastly less secure than a strong master password. If you decide to use this feature, be sure to protect your phone with a strong password and biometric authentication, and never put it down without locking it.

True Key allows true facial recognition for authentication, and you can configure it to authenticate without the master password. Indeed, if you've defined enough biometric and other authentication factors, you can reset a forgotten master password. You can't create an account with no master password, the way you can with LogMeOnce, but you can configure True Key to unlock based on factors other than the master password.

On your mobile installation, you can enable authentication via fingerprint, and you must create a PIN. You can log in to the browser-based edition on your desktop using either of these. When you do, it directs you to check your mobile device. Just scan your print or enter your PIN to allow login on the desktop.

Adding Applications

LogMeOnce comes with numerous short videos explaining all its features. On viewing a few of these, you'll quickly realize that by applications this product means what other products might call accounts, passwords, or logins. As with LastPass, Dashlane, RoboForm Everywhere, and most competing products, the LogMeOnce browser extension notices when you log in to a secure site and offers to save your login credentials as an application. You can assign the new application to one of seven predefined groups at capture time. Creating new groups used to be a premium-only feature, but it's now available at the free level.

From the Smart Menu, you can open the product's catalog of more than 4,500 known sites. To add one to your app collection, simply click it and enter your username and password. If a site is in the catalog, you know that LogMeOnce can handle it, even if it uses a nonstandard login page.

You can also add an app manually. As you start typing the name, LogMeOnce lists matching sites from its extensive catalog. LastPass, Sticky Password Premium, and a few others take a different approach to nonstandard logins, allowing the user to simply capture data from all fields. LogMeOnce can also capture all data fields from oddball login pages, and it does so in a very clear and simple way.

For sites in the catalog, LogMeOnce displays the saved logo. For unknown sites, it grabs a screenshot. You can also choose a custom image.

Whether captured as you log in or created manually, new apps use Single Sign-On by default. That means LogMeOnce will log in automatically when you launch the app from the browser toolbar. If you simply revisit a site that has login credentials saved, LogMeOnce asks whether you want to log in, and which credentials to use when you have two or more. Requiring some user interaction at this point is important. Researchers have identified a technique whereby malefactors inject script into a page that creates an invisible login form, then harvests the login credentials automatically filled by the browser or password manager.

If you choose to enable Single Log-Out, logging out of LogMeOnce also logs you out of the site. That's a feature I haven't seen elsewhere.

With most competing products, you click the browser toolbar button for a menu of available logins. LogMeOnce is a bit different, displaying a panel of icons representing your top 20 logins. Just click one to go there and log in. If you've saved a ton of sites, you can find the desired one quickly by typing in the search box. Each letter you type narrows the list.

LogMeOnce stores passwords for websites only, not for other programs. The only free password manager I've evaluated that handles passwords for programs (other than Android apps) is KeePass, which doesn't support the usual password capture and replay for websites.

Password Calculator and Password Policy

When you create a new account, LogMeOnce's password calculator offers to generate a strong password. By default, it creates 15-character passwords using all character types. That's better than Symantec Norton Identity Safe, which defaults to 8 characters. The default in Enpass Password Manager is an impressive 18 characters, but KeePass tops that with 20 characters. MyKi beats all the free and paid password managers I've evaluated with a default password length of 30 characters.

The name password calculator refers to the fact that it calculates the approximate time required to crack whatever password you type into it. For example, it estimates three hours to crack "Password," but 78 days to crack "Password!" with an exclamation mark. As for its own generated passwords, well, don't try cracking those unless you have billions of years to spare.

Launching Password Policy from the Smart Menu gives you some control over the policy enforced by LogMeOnce. The point of setting a password policy is to encourage good security habits. By default, your master password expires every three months, and you must replace it with a new master password you've never used before. You can eliminate or soften the restriction on previously used passwords, allowing reuse after three or five other master passwords. Those using the premium edition can change the expiry time to as short as one month or as long as one year. Of course, this applies only if you've added a master password to your LogMeOnce account.

By default, LogMeOnce requires that a master password consist of at least eight characters, containing uppercase letters, lowercase letters, and digits. If do choose to use a master password, I suggest you make it a strong password, well beyond the minimum requirements.

Two-Factor Bonanza

When you're using passwordless authentication, you've already got a form of two-factor authentication. Nobody can log into your account unless they also possess your smartphone. But if you're looking for additional security, LogMeOnce has a ton of options. Click Two-Factor Authentication from the dashboard to set it up.

The two-factor authentication page implies that you must establish a master password to use two-factor protection, but I found that I could use multiple factors along with passwordless authentication. You can use Google Authenticator, or a Google Authenticator work-alike such as Duo Mobile or Twilio Authy, as a second factor. Making the connection is as simple as snapping a QR code with your mobile device.

Like True Key, Zoho Vault, and others, LogMeOnce can send a one-time passcode via text message, for a second authentication factor. It can also send that one-time code as a voice call. But unlike any other product I've seen, LogMeOnce charges you for the privilege of using voice or SMS authentication. In the US, voice calls cost four credits and text messages cost two. You purchase credits in bundles of 1,000 for $10. Two-factor authentication via email is free, at least.

With oneID, Keeper, and a few others, phone-based authentication is a snap. You simply tap the notification that appears on your smartphone to allow the login.

Additional two-factor options become available in the premium edition. These include Selfie-2FA (photo-based security), authentication using a prepared USB drive, and (for geeks only) authentication using an X.509 certificate. If you enable multiple two-factor options, your master password plus any one of the other factors unlocks the account.

LastPass also supports text-based two-factor authentication, at no charge, along with support for Google Authenticator and work-alikes. Security-minded folks can enter the LastPass master password using a virtual keyboard, one of the very few features not found in LogMeOnce.

While not precisely related to two-factor security, LogMeOnce's Mugshot feature also helps secure your account if someone else gets hold of your device. On a failed login attempt, this feature snaps photos with the front and rear cameras and transmits that information to your account, along with the device's location and IP address. Note that the premium edition includes a full-scale set of anti-theft features.

Identity Profiles

Filling passwords into login pages isn't much different from filling personal data into Web forms. Like many other password managers, LogMeOnce lets you define personal information profiles for Web form filling.

This utility's collection of personal data isn't as extensive as some, but it covers the basics. Personal data consists of first and last name, email address, birthday, and gender (just male or female, not the dozens of choices you get with Tinder). And you can identify each phone number as cell, home, fax, work, or other. I am pleased that the multiple phone entries correctly filled the matching fields, and that it filled an Age field by calculating from the profile's birthdate.

You can create multiple profiles, each of which must have a different email address. Within a profile you can create multiple instances of personal, address, phone, and company data. RoboForm Everywhere is even more flexible, with the option to add multiple instances of any field.

LogMeOnce lets you save credit card details in its Secure Wallet. Cleverly, it detects the card type based on the number you enter. Like Dashlane, it creates a card image using the background of your choice, with the cardholder name and issuing bank. When you click in a credit card field on a Web form, you choose from the clear visual representations of your cards.

Sharing and Inheritance

When you point the mouse at an app in LogMeOnce's Cloud Dashboard, you see icons for sharing and for assigning a beneficiary, and (when available) automatic password change. I'll discuss automatic password change below.

You can share any of your passwords with another LogMeOnce user, using the recipient's email address. The free edition allows five shares; there's no limit in the premium edition. As with LastPass and Dashlane, the recipient can use the login but can't see the password. If you choose to make it an open share, the password is visible, but read-only. There's also an option to set an expiry date, but only in the premium edition.

Defining someone as the beneficiary for a password is a different matter. The beneficiary gets access to your data only after a specific waiting period. The similar feature in Dashlane, Keeper, and others lets you choose the waiting period, but LogMeOnce fixes the waiting period at 45 days. You can set a beneficiary for up to five specific apps. A premium account can have unlimited beneficiaries. There's also an option to require proof of death before LogMeOnce releases the data. From the Smart Menu, you can define a beneficiary to receive your entire account.

Password Reporting and Changing

When you start using a password manager, the first thing you do is get all your existing passwords into the collection. It's easy enough to let the password manager generate strong passwords for any new accounts you register. But eventually, you really must go back and fix any weak or duplicate passwords.

The Security Scorecard page, reached from the Smart Menu, gives you an overview of your security status as well as what it calls a hybrid identity score. The latter is based on a handful of specific criteria, among them whether you're using two-factor authentication and whether you've watched the training videos. Clicking for details on master password strength or overall password strength triggers an invitation to upgrade.

Really, the most important part of this report is at the bottom, which lists all your passwords, from weakest to strongest, and also flags any duplicates. Like LastPass and Dashlane, LogMeOnce can automate the password change process for many common websites. There's also a separate page that just lists the passwords that it can change automatically, with a big button to change them all.

LogMeOnce also provides productivity charts, different views of how you use the product. However, I'm not sure how many users need a bar graph of account activity, or a pie chart of which browsers got the most use.

Ultimate Features

A colorful Productivity Dock across the bottom of the dashboard offers quick access to important features. As you point to icons in the dock, they expand, much as on the macOS desktop. And if you're using the free edition, the expanded icon is kind of a bummer. It displays a tooltip noting that you must upgrade to the Ultimate edition use the dock. I would just turn off display of the non-functional dock.

The Devices tab under Security lists all your devices, and lets you delete a device that you no longer use. A map across the bottom lets you locate a missing device…but only if you're a paid user. For those who've put up the money, LogMeOnce offers a full set of anti-theft features, among them remote locate, lock, and wipe, the ability to display a message on the missing device, and an option to make it ring at top volume, in case you've simply mislaid it.

When you get a notification on your mobile device that someone wants to log in to your account, you had better hope that someone is you. Users of the premium edition get a ton of information along with the login request, things like the associated email address, date/time stamp, IP address, and even GPS coordinates.

New in this edition, you can attach files to any password or secure note. However, you only get 1MB of storage with the free edition. As with Keeper Password Manager & Digital Vault, even those paying for the product must pay again for more storage, $9.96 per year for 10GB or $19.92 per year for 20GB.

Extra-Cost Add-Ons

I mentioned that even those with a paid subscription must pay again for added secure file storage. At an even higher level of secure storage called Secure Drive, you get a fully encrypted, fully manageable online storage drive. Prices range from $39.96 per year for 50GB to $199.92 per year for 250GB.

Even those paying for Ultimate must pay a little extra for some features, including Scheduled Login, Password SHOCK, and Account Freeze. Briefly, Scheduled Login lets you specify roughly when you intend to log in again; a hacker who attempts login at any other time doesn't stand a chance. Account Freeze lets you temporarily freeze account access, or lock it to your home IP address. And Password SHOCK activates one of eight annoying behaviors on attempts at unauthorized access to your account. Actually, those using the free edition get three activations of Password SHOCK, and those who've paid for the Ultimate edition get nine. Unlimited Password SHOCK activations is an extra-cost option. I'll discuss these in more detail in my review of the paid edition.

At present, LogMeOnce offers two bundles. One includes the Ultimate edition plus enhanced Mugshot, Scheduled Login, and 10MB of secure file storage for $4.99 per month, which comes to $59.88 per year. For $7.50 per month, or $90 per year, you can up the storage to 20MB and add Password Shock and Account Freeze. Those prices are way outside the password manager norm. The page advertising the bundles does claim that you'll save $263.24 by buying the bigger bundle. That figure made a little more sense to me after my contact at the company explained that the calculation assumes a five-year plan. A little.

Feature Overkill?

The pricing and comparison page on the LogMeOnce website lists 21 features that (according to the company) no other password manager has. Many of these are the company's own patented technology, so naturally nobody else has those. But I'm coming to believe that the reason other products don't include many of these is that they're not needed.

A little farther down, that same page lists 46 distinct program features, with three columns indicating feature support in the Premium, Professional, and Ultimate editions. In each row a blue dot indicates full support, a yellow dot indicates no support, and a dot that's one quarter, half, or three quarters blue means partial support. Yes, you can click each of the 46 items for a lengthy description, and an explanation of those partial-support icons. I expanded all the descriptions and copied the table into Word, which reported that the resulting document would take 43 pages if printed. I salute the persistence of the authors of this page, but I doubt many users dig in for those details.

When you're using the free edition, there's no simple indicator for unavailable features. They're not grayed out or otherwise marked. You can, for example, tell Account Freeze to freeze access to your account until a specific date and time. Only when you attempt to save your changes do you get the warning that this is a paid edition feature.

It's clear the product's designers are very proud of their product and its many features, but I'm not convinced that this overflow of features is a good thing. I don't see a lot of value in the productivity charts. I haven't seen Single Log-Out in other products, but I also haven't wanted it. And while blasting loud music at a hacker, vibrating the hacker's device, and the other annoyances of Password SHOCK sound cool, I really don't think it's necessary.

Excellent but Overstuffed

Despite the word Premium in its name, LogMeOnce Password Management Suite Premium is completely free, and it offers a boatload of features, many of which aren't found in any competing password manager. When we first saw it, we were dazzled by the vast ocean of features. Lately we've come to appreciate password managers that do everything necessary, as unobtrusively as possible, and with consistency across platforms. In the commercial password manager realm, Keeper and Dashlane exemplify this style, while still including advanced features like secure sharing, password inheritance, and an actionable password strength report.

The free edition of LastPass includes those same advanced features, along with two-factor authentication, automated password changing, and more. It's so complete that we recently demoted its big brother LastPass Premium from Editors' Choice, on the basis that it doesn't add enough value. In terms of the features we've identified as important, LastPass matches LogMeOnce, and there's no confusion about what's available. Yes, LogMeOnce is the absolute winner as far as feature count, and it will definitely appeal to some. But LastPass excels by getting the job done without fuss. For now, we're declaring LastPass our single Editors' Choice for free password management.

More Inside PCMag.com

About the Author

Neil Rubenking served as vice president and president of the San Francisco PC User Group for three years when the IBM PC was brand new. He was present at the formation of the Association of Shareware Professionals, and served on its board of directors. In 1986, PC Magazine brought Neil on board to handle the torrent of Turbo Pascal tips submitted by readers. By 1990, he had become PC Magazine's technical editor, and a coast-to-coast telecommuter. His "User to User" column supplied readers with tips and solutions on using DOS and Windows, his technical columns clarified fine points in programming and operating systems, and his utility articles (over forty of ... See Full Bio